InfoPath – User Roles in Browser-Enabled Forms Using AD Groups

MAJOR REVISION – Now using GetCommonMemberships web method to determine group memberships for users without needing to use contact lists or any other manual data source!

So, you need to restrict certain controls in your InfoPath form, but it’s browser-enabled, and you just found out that User Roles are not supported, huh? You also see that SharePoint permissions do not help restrict specific areas within your form, so what do you do? There are probably several methods, but here is the one I have come up with that uses all built-in functions of InfoPath and MOSS 2007 without any code and leverages Active Directory Security Groups.

Special thanks to a co-worker of mine – Irene Clark– who I taught to use the UserProfileService and subsequently figured out on her own that GetCommonMemberships could help with User Roles. She showed it to me, and I immediately jumped on it to come up with what you see here. Thank you very much, Irene!

Here is an outline of the steps with the assumption that you already have a working, browser-enabled form. If anyone needs me to write up the basic steps of doing creating a browser-enabled form from scratch, let me know via the Blog Request Log:

Add GetCommonMemberships data connection

Add necessary fields to form template and configure them

Add conditional formatting to applicable controls

User Profile Service – GetCommonMemberships Method

We must add this superb web service to our form template as a data connection. Please use the first 8 steps of Itay’s writeup to get this done as I can only give him credit for my extensive knowledge of this web service. Once you’ve added it successfully, we need to do a few things with it using the later steps in Itay’s blog. Here are the steps. They are only text with no screens, so I will just paste them here. Remember that we are leveraging a different web method than Itay, but it’s the same web service:

With InfoPath opened go to Tools > Data Connections, and click ‘add…’ to add a new data connection to the form. This opens up the Data Connection Wizard.

We want to receive data from the WS about the current user, so choose receive data’ and click next.

Here you get a list of all methods for that WS, chooseGetCommonMemberships and click next.

In this screen you can specify what parameters are sent to the method, we are relying on the method’s ability to return the current user name if no value is passed to it, so we will leave this as is (no value is passed to the method) and click next.

Click next and make sure ‘Automatically retrieve data when form is opened’ is checked.

Finish the wizard.

In this solution, the GetCommonMemberships (GCM) method of the UserProfileService will provide the values we need to check a user’s Active Directory (AD) Security Group (SG) and Distribution List (DL) membership. This method also provides SharePoint (SP) Site membership, but that is not as useful as if it provided SP group membership, which it does not. I will be focusing only on the AD group memberships for this write-up. Here are some steps showing how to use and see what this method provides:

View this method’s node structure

Drag the whole repeating group to the canvas and preview to see the result

Reduce the table to the most useful fields and decide which ones you want to leverage

Filter to show only the AD groups

Create a dropdown control bound to an element in your main data source that will show a selectable list of groups for a given user

Use this information to apply conditional formatting on other controls

Notice that the node structure in the GCM method (Fig 1) is much more friendly than GetUserProfileByName. You can clearly see the information that is available, and the nodes are self-explanatory for the most part.

Fig 1 – GCM Node Structure

Grab the MembershipData repeating group onto the canvas and choose Repeating Table when prompted. This lays out the entire node structure nicely, although you will need to expand the table and the columns in order to clearly see the data (Fig 2).

Fig 2 – Full GCM Repeating Table Structure with Sample Data

In my opinion, certain fields are not useful to us due to either not having data or not having data that is useful for determining User Roles. I will delete the columns named Group Type, Privacy, ID, Member Group ID, and Group (Fig 3). Notice that Member Group ID does have some unique info, but I am not yet sure how to leverage that data. You may also want to remove the SourceInternal field from the MemberGroup section, because it shows the same GUID each time (at least in my system). As for the remaining fields, here are my notes so far:

Source: This shows whether or not the record is an AD group (noted as “DistributionList”) – or a SharePoint site membership (noted as “SharePointSite”). Notice, these are not SharePoint groups, but rather site memberships and only where the user has been specifically added to that site with permissions as opposed to inherting permissions through AD SG membership. The AD groups include both SGs and DLs, which is important to know.

Member Group – Source Reference: This shows the Organizational Unit path in Active Directory of the DistributionLists and shows a GUID for SharePointSites.

Display name: This is the Display Name of the group as defined in AD. In Outlook, this name can typically be used as an addressee for an email, and the name will resolve to the email address. This name SHOULD be unique and will be what we use for our User Role matching later. For SharePointSites, this is just the site name.

Mail NickName: This is the alias for that group in AD, and it also will resolve to the email address when used in Outlook. However, I found in my system that there were _two_ separate contacts in the GAL with the same alias. That should not happen, and I will be notifying the AD admins, but the fact that it did happen with a common SG I use means it is not a guarantee, so be wary of that. The same could potentially happen for Display Name, but that is a much longer and more specific name while aliases are sometimes just a few letters. There is no nickname for SharePointSites.

URL: This is the direct email address for the group in the form of mailto:name@domain.com. This also could be a very good source for matching groups and/or for sending emails. Again, the email address SHOULD be unique, but that all depends on how well your AD is maintained. For SharePointSites, it shows the URL to the site.

Fig 3 – Partial GCM Table with Relevant Columns Only

If you ever plan to use this method for displaying a user’s list of group memberships, you may want to only show the DistributionList records. To do so, simply right click on the repeating table itself and create a conditional formatting rule that hides the control if the Source node is equal to “SharePointSite” in it (Fig 4). Interestingly, when going through the wizard to set this condition, the wizard automatically detected the available options for that node. I am used to seeing that with my main data source, but it does not always happen when referencing a secondary data source node. In this case, it helps to quickly choose the right selection without the potential for a syntax error. The result will be that you only see DistributionList records in the repeating table, which is the information that would be useful.

Fig 4 – Set Filter on GCM Table to Only Show AD groups

You may also at some point wish to show a user’s group memberships in a pulldown and then use a particular selection to trigger a rule or match some other condition elsewhere in the form. You may even use it to see another user’s memberships (other than the current user) and then select a group to then invoke the UserGroup web service (or possibly other available web services/methods similar to this) to enumerate the users in the group. That is outside the scope of this write-up, but it’s something to consider. To set up the dropdown, follow these steps:

Create a text data element in your main data source with whatever name you prefer

Drag that field to the canvas, which makes a text box

Right-click that box and change it to a Drop-down List Box

Double-click the dropdown to get to its properties (Fig 5)

Select the radio button that says, “Look up values from an external data source“

For the Data Source, choose GetCommonMemberships

For Entries, click the button, drill down through the groups, and select the MembershipData repeating group

For Value, choose whatever node you prefer as your primary key (unique value). DisplayName, Nickname, and URL are all suitable.

For Display Name, choose the DisplayName node

Click OK until done and preview the form. You should see the friendly names of your groups all listed in the dropdown. Since this is a browser form, we cannot filter the dropdown (at least until we get SharePoint 2010!), so you will see the SharePointSites, too.

First, manually create all the fields and groups you see below (Fig 6). Notice that strAdmin and strFinance have default values. Do not mimic these in your real form, because they will depend on your group names, which we’ll get to shortly.

Fig 6 – Data Structure

Next, we need to create our layout on the canvas (Fig 7). For this example, I just simply have two sections that are bound to grpAdmin and grpFinance (do not include their child fields), respectively, along with some text and a color for differentiation. I also have a repeating table bound to the MembershipData repeating group of the GetCommonMemberships method that is only showing the DisplayName element. This is only on the form for now to show what is happening, but it would not be on the form when using this concept unless you have some reason for showing the current user’s groups. You get this on the canvas by following the steps shown in Figures 2-4.

Fig 7 – Form Layout

After that, we need to assign our initial values that will play a part in the security of our form. For this exercise, we will use two Group Check Fields. This part is important, because this is what defines the group memberships in your form that will be leveraged for User Roles. I am using “Sharepoint Admins” and “Finance,” because those are the _exact_ words that show up in the DisplayName field of GetCommonMemberships (refer to Fig 2). In your case, you’ll want to add a field for each group that you want to define for your User Roles and set its default value accordingly:

Drill down the dataFields path until you get to DisplayName, which you should single-click

At the bottom of this box where it says Select, choose the phrase All occurrences of DisplayName, then click OK

For the Operand, choose are not equal to

In the last box, click the pulldown and choose Select a field or group, then choose strAdmin from the main data source

Lastly, in the Formatting area, check the box for Hide this control

Fig 8 – Conditional formatting to hide sections from unintended users

Finance Section – Do the same thing as with the Administrators Section except in the last box of the conditional formatting setup, choose strFinance. This will compare the current user’s list of group memberships with the exact name of the Finance security group, which is what we set the value of strFinance to be.

Now, it’s time to show it in action. In my scenario, I have two user accounts:

Clayton Cobb – I am in the Sharepoint Admins SG but not in Finance

SharePoint Tester – He is in the Finance SG but not in SharePoint Admins

I’ll start with SharePoint Tester being logged in (Fig 9) who will open a new browser form (Fig 10).

Fig 9 – SharePoint Tester logged in

Fig 10 – SharePoint Tester only sees the Finance section

After saving the file as the SharePoint Tester, I will now log in as myself (Fig 11) and open the existing form (Fig 12).

Fig 11 – Clayton Cobb logged in

Fig 12 – My account only sees the Administrators section

**After it is all working, be sure to remove the repeating table from your form, or if you decide to show it for some reason, you may want to make that field read-only so that users can’t manually change it.

That’s all there is to it! You can now leverage Active Directory distributon lists and security groups for providing a mock User Roles functionality in Browser Forms without writing any code and while maintaining Domain Trust. The key here is that when looking at the same form, two separate users will see different information that is available based on their group memberships in Active Directory. Imagine the other ways you could leverage this by restricting individual controls, whole sections, or even entire views, which is very powerful!

Alanasaid

Johnsaid

Is there any reason anyone can think of where this wouldn’t return groups for the current user? I’m logged in to my local machine, but VPN’d into a site that allows me to use “GetUserProfileByName” and it returns my domain information (based on who I’m logged in as through the VPN; testing with an InfoPath form in ‘client’ mode).

I even tried making a list box that was populated from the data connection where accountName=DOMAIN\Administrator, and still nothing.

Clayton Cobbsaid

Are you certain that your expected username is being sent to the web service? You mentioned that something works in client mode, but that is not indicative of what will happen in browser mode. As a test, put a new text field on your form canvas and set the default value to the function userName(). See what that says – it should default to the username of the account you’re logged into your MACHINE with, which may not be the one you prefer, and be sure to only test in browser mode.

If you see the proper username in browser mode, and there are no data access errors, then make sure that user account actually resides within AD Security Groups or Distribution Lists that have been imported to the profile database via your SSP.

Now that I have that working (at least using the repeating table test just to see the groups come back for the current user), what I’d like to get working is to be able to pass a parameter as a filter to myFields\queryFields\s0:GetCommonMemberships\accountName and have it return the groups for that user.

I tried passing currentUser as well as passing it the string DOMAIN\me (obviously replacing DOMAIN and me), and it doesn’t work.

Is there a security limitation to not being able to query on that for someone other than the current user? Do I need to pass a formulated LDAP name for that to work, vs a name like DOMAIN\me?

Clayton Cobbsaid

John, you’re in luck. I explain exactly how to do that in my other blog post named “InfoPath – Get user information without writing code (extended)” at this URL: https://claytoncobb.wordpress.com/2009/06/21/userprofileservice-extended/. Use that technique to send a different username to the GetCommonMemberships web method so that you can get that user’s group memberships in AD. The value you want to pass is the username and not the domain name, such as “ccobb,” but not “domain\ccobb.”

To be clear, yes, you can always send a new query value to get data. The fact that it works on form load is just a bonus that is built in, but it’s no different than sending another username as long as it has the correct syntax AND as long as it exists in the profile database.

Johnsaid

Background on how I’m implementing this: I’m using a ‘Contact Selector’ control to let them pick a person, and because I can’t hang ‘rules’ off the Contact Selector control, I gave them a ‘Get Groups’ button. When you click it, it follows your example, and it sets values (AccountId and DisplayName) under ‘another’ Contact Selector control. The values being the groups of the person in the first Contact Selector control.

1) It seems like the groups come back as ‘group’ and not ‘DOMAIN\group’, which I’d like to store in AccountId in the second CS control. Not a ‘huge’ problem, as the target audience is all in one domain, and I can put that in a configurable business keyword that they could change later, and concatenate it together with the ‘flat’ group names that are returned (if I have to go that way), but I figured I’d list the issue.

2) This one is a bit more of a problem, and makes me think I’ll need to take this to some C# code-behind, which wouldn’t be the worst thing in the world. I put myself in multiple groups (that have email addresses), forced a profile import to sharepoint, verified the new group came across and the existing group was still there, as an added bonus, I put ‘another’ user solely in the new group, just to verify the group exists, and ran the button.

If I pick the new user (who is only in the new group), it returns the new group. If I pick myself, it pulls back the first group only, and not the new group. I’m assuming this might be a limitation with it only pulling back the ‘first’ item from the data source? Doing the repeating table trick is nice to visually ‘see’ everything, but is it possible to take the repeating values from a data source result and set them as repeating values in another field?

If that’s not possible, let me know. I’m pretty confident I can lift this up and take it to code behind.

Thank you very much for the help thus far. Slowly but surely I’m learning.

Clayton Cobbsaid

For #2, what is it you are trying to do with the repeating list of groups for a given user? You say you are able to display them in a repeating table the way I showed but that you can’t do something else with those values. What is that “something else” you are trying to do? Why do you need to set the group values elsewhere? Are you trying to resolve these groups into a contact selector that shows each group a user belongs to? Let me know the purpose and goal of this so that I can help achieve without code? Just in case it’s relevant to your goal, review my Copy SharePoint List Data to Main Data Source: https://claytoncobb.wordpress.com/2009/08/03/infopath-copy-sharepoint-list-data-to-main-data-source/

Johnsaid

As it turned out, I went with a programmatic solution, using AppendChild to add all the groups returned by the GCM call into each of the things under my contact selector (GroupGroup). That seemed to work out good. Now they pick a name in the first Contact Selector from the AD, and click a button next to it called ‘Get Groups’, which populates a list of all the groups they belong to.

The reason for the two controls is you first use a CS to pick a person to retrieve groups from, and then use the second CS (which now has the groups for that person in it) to either add to those groups or remove from them, using the AD picker.

Thanks again for all the help!

Note: If there is a non-programmatic way to get multiple values returned by GCM into multiple entries under a Contact Selector, I’d still love to see it. Using the simple Set Field under Rules seemed to bark when I picked anything other than an end, non-repeating data value, which only every would return the first group.

Clayton Cobbsaid

Your code makes the form require full trust, right? That’s not a best practice and is something you want to avoid always if you can. I think you will find that copy table may work, but I may need to do some of my own testing to be sure.
Sent from my Verizon Wireless BlackBerry

Johnsaid

Actually, I published it this morning still set to ‘Default’ and it’s working like a champ.

Keep in mind, these forms all run inside the InfoPath client (as making these things web only, at least with 2007, is far too limiting at this point … but I see they are fixing some of that with 2010, which will be nice).

Johnsaid

Well, the code isn’t much of a change from what you presented here, just doing the same thing, but in code (using the same data source). The reason I needed code was to step through the items returned and AppendChild:

Johnsaid

Clayton Cobbsaid

To be clear, the CopyTable qRule does inject code into the form, so it’s not even a no-code solution itself. You just don’t have to write or test the code yourself, and it allows InfoPath form designers to incorporate the feature into every form without writing any code. Definitely not a “no-code” solution, though.

Amuro Raysaid

A problem that I’m having with this is that it’s not showing me my AD groups. Would this happen because of the way I imported the user profiles into Sharepoint? I did not do the automatic import of users from AD because it’s a mess and I didn’t want to bring the mess into Sharepoint.

Clayton Cobbsaid

How did you import them then? In order for anything to show up with any of the built-in MOSS web services, the data has to be in the SharePoint profile database. We have found several reasons for groups not to show up in the comments above, but it seems to always come back to the data not being in the profile database, but that can have several causes. You need to make sure those groups in AD have email addresses, and then you need to be sure they are in the profile database by doing a proper profile import. After that, the information will show up when calling the web service.

Amuro Raysaid

The way we have been importing the user accounts is by clicking on “New Profile” button and then typing in the username for “Account Name.” After that, we would press the “Check Names” button and it would know who we are looking for through AD. Then we would hit “Save and Close.” After we press that button, we can go back into the account and see that it automatically pulled in the other fields.

When I try the process above, I am able to see my Sharepoint Site Memberships. It’s just the AD groups I can’t see.

Clayton Cobbsaid

I’m not sure that method will pull in the groups automatically. I think the fact that it shows your other data and the SharePoint Sites, then it’s a pretty good indicator that it’s not bringing in all the necessary AD info, specifically the group memberships.

dansaid

I have a form that has an area that should only be seen by people in a particular SP group.. We use Nintex workflows, and what we do is in the form the user can select a group of users and then these users are populated into a group created just for this form.. Once the form is closed.. the group is deleted. Whilst the form is in a status of “open” the users int he group all have rights to edit the hidden field (It is a stakeholder discussion area)

Clayton Cobbsaid

It’s a pretty common error when working with data connections, especially web services. That error likely means that the account you’re using cannot authenticate to the web service. Take the URL of the web service and paste it into a browser. Do you see results? Are you using Firefox or IE when opening the form? Are you on the SharePoint server or a client? Does the UserProfileService work in any of your browser forms?

Clayton Cobbsaid

Then you have to figure out what permission restriction you have in place so that your users can utilize it. It’s only restricted like that due to settings your particular farm. By default, this web service is readable by all authenticated users. There are a few places to check: 1) Make sure that in the SSP for this site, all authenticated users have Read permissions on the Personal Features within the Personalization Service Permissions. 2) Make sure that IIS site does not have Anonymous access enabled 3) If it’s a multi-WFE farm, convert the data connection to UDC. First create a data connection library in your site collection root (top-level site), then convert the data connection to UDC and specify that DCL library for saving it. After doing this, go to the DCL to publish and approve, because content mgmt is enabled on DCLs by default.

#1 should be the first thing you check, because it’s easy and is usually the issue.

Leesaid

I haven’t had a chance to make and test any changes yet but looking at your suggestions I know immediately that I removed all personalization permissions to get rid of that pesky My Site option I didn’t want users clicking.

There are other ways of achieving that, so I can give personalization permissions back and go through your tutorial again.

Thanks again. Great blog.

Clayton Cobbsaid

Actually, you get rid of the MySite link by removing “Create Personal Sites,” but you can leave “Personal Features” turned on. That way, they have no MySite link but can still use the profile services.

Why do you refer to MySites as pesky? They are one of the most valuable parts of SharePoint in my opinion. They are great for user adoption, spontaneous collaboration, for giving users a place to play around and test without messing up production sites, etc.

-Clay

Leesaid

That’s what I did and my permission problems are over. I’ve read over the page a few times just to be sure I am not missing anything, and I as far as I can see I have followed your steps properly – but I am only getting sharepoint memberships, no AD SCs or DLs.

I did a ‘full import’ from the SharePoint User Profiles and Properties just in case that might help but it made no difference.

Just to check that the username being sent back is not an issue, I made a username field and also created a separate connection for GetUserProfileByName – both worked as expected, so issues there.

Any suggestions would be appreciated.

(As an aside, I will consider your points on MySite – to be honest, we did not really look at it before switching it off, just made a kneejerk reaction at adoption. I have created a MySite for myself and will spend some time with it.)

Clayton Cobbsaid

I’m glad you will consider the value of MySites. I have heard of people having that same knee-jerk reaction and thinking MySites are a bad thing, but to the contrary, they are an awesome feature of SharePoint. You really have nothing to lose with giving people the OPTION of using them. What you could do is run a pilot by creating a new AD Security Group with only a limited # of people in there, and then give that group the Create Personal Site permission in the SSP so that only those folks even see the My Site link for piloting purposes.

For you not to see groups, they either are not in the profile database, or that particular user does not have any groups associated.

John Streamsaid

3) If it’s a multi-WFE farm, convert the data connection to UDC. First create a data connection library in your site collection root (top-level site), then convert the data connection to UDC and specify that DCL library for saving it. After doing this, go to the DCL to publish and approve, because content mgmt is enabled on DCLs by default.

This is money! I’ve been trying to figure out why my forms were intermittantly working in my my two WFE farm and this not only made it work 100%, but also increased the form load speed. Two days to get this figured out. Well done Clayton.

Clayton Cobbsaid

John, glad that helped. However, you may want to test your forms in multiple browsers (IE/FireFox/Safari/Chrome) to be sure you don’t have any double-hop authentication issues with multiple WFEs. I need to blog all about that, but blogging is pretty low on the priority list these days. =D

Katherinesaid

Is there a way to make a forms library so the form submitter can only see their own form? I need to make a request for leave form but we want the employee’s to only be able to see their own forms. They want to use an infopath form in sharepoint but I can’t figure out how to secure it. I can make the rest of the workflow do what I want but everybody that can submit can open any form.

Clayton Cobbsaid

Katherine, yes, this can be done. I have 2 codeless options for you – one that uses obscurity, and one that uses actual security. You can see my video showcasing this exact scenario on the front page of my blog. Here is the direct link to the vid: http://www.cospug.com/Sessions/InfoPath%202010%20Codeless%20Leave%20Request%20Form.aspx. In this vid, I’m showing off 2010 features, and the dynamic permissions on the forms are OOTB functionality of SPD2010. However, for 2007, you will need to install a set of custom SPD workflow activities in order to get this same functionality. Anyway, here are the two methods:

Obscurity: Simply add a view to your form that has no data and simply says “Unauthorized Access.” Use Form Load rules to check the identity of the current user, and then if that user is not the creator nor the manager (or whoever else is allowed to see all forms), then switch to the unauthorized view. Using this method, people can still ‘see’ all the forms, but when opening in InfoPath, they see no data. This method does not obscure, hide, nor protect any data that has been PROMOTED to the SharePoint form library, which means the promoted fields will show up in the library as columns even if the form isn’t opened. Also, if someone chooses to save the XML file locally and open with notepad, then they’d see all the raw XML data.

Security: Use SharePoint Designer 2007 custom workflow activities. Go to Codeplex and get the package: http://spdactivities.codeplex.com/. When the form is submitted initially, make sure your first step is to Delete List Item Permissions (in this action, remove the group that contains all users who are allowed to submit a request), then the 2nd action is to Grant Item Permissions back to the person who created the form. For admin/HR/managers, simply give them permissions via different groups at the list level and don’t change their permissions at the item level unless necessary.

I’m trying to follow your instructions step by step to get some practice. When I put the “Membership” into the canvas as a repeating table, it displays the membership of the sharepoint sites for me. I don’t see any of the AD group that I’m a member of. In the source, there’s a “Distribution List” entry, but when I select that, the data in other columns don’t change. Have I missed any steps?

I know the user account is definitely a member of a lot of AD groups. They are probably not imported into Sharepoint profile. And you mentioned this approach doesn’t give you the list of sharepoint groups that the user might be a member of. So, I guess, I won’t be able to implement user role unless I give up browser based form, which I don’t prefer.

Let me know if you have any other ideas. I can probably create separate sharepoint lists and then retrieve information from it for users, but I don’t want to manage those lists manually. I think it’d be perfect if I could query AD directly without going through SP web services. Not sure if it’s doable, but I’ll try to do some research on this.

Clayton Cobbsaid

Why can’t you just make sure that you import profiles fully? The groups get imported automatically unless the profile import is set to only read from a certain container, and the groups aren’t in that container. It’s definitely not perfect to query AD directly, because that is a major security risk. There is a way to do it with web services, but you either have to create your own and purchase the ADWS from Qdabra – it’s cheap – but it doesn’t make sense to do that when SharePoint exposes that info to you at no cost and no risk. Why are you not keen on just making sure you get the groups to come through the profile import? That should be happening anyway, and if it’s not, the farm is not built correctly (the SSP actually).

I’m not sure why the groups are/were not set to be imported into profile. I don’t have the authority to adjust what data are imported from AD to Sharepoint. I’ll probably suggest it, but it’ll have to go through different areas and get approved by management before being implemented.

Clayton Cobbsaid

I’m pretty sure that getting the profile import fixed – definitely not something that should have anything to do with management, but rather should be part of the daily operations of your SharePoint Administrator – will be much easier to accomplish than creating and installing a web service that directly touches a back-end business system (AD).

Scott Napolitansaid

Is it possible to use InfoPath 2010 with User Roles at all anymore? I can’t seem to get the user Roles button to light up no matter what I do! Working with views and user roles seemed so much easier and more straightforward before. 😦

Clayton Cobbsaid

Are you working in a rich client (Filler) form? User Roles are not available in Browser Forms just like in 2007, and the templates at the top of the New page when creating a new form are all Browser forms. Go to File (Backstage) > Info > Advanced Form Options > Compatibility > Change to InfoPath Filler. Then, User Roles will work.

Why are Views less straightforward for you? For my environment, I add my favorite buttons to the Quick Access Toolbar so that I have everything in one place without clicking around. The ones I put in the QAT are the Manage Rules cluster, Controls cluster, Views cluster, Data Connections, Preview, Quick-Publish, Save, etc.

Scott Napolitansaid

Clayton, any thoughts or suggestions around getting membership from a SharePoint group instead of AD? The web services are there to get users so we should be able to get groups. I think SharePoint groups are just as important (if not more) for security just because most organizations have a lot of hurdles to get through to add users to an AD group vs. just adding a user to a SharePoint group. Thanks!

Clayton Cobbsaid

Bil, yes, you can use the UserGroup.asmx web service that is just like the UserProfileService.asmx in that they are both in the _vti_bin folder and both can pull from profile and group data. Using the UserGroup service is more complicated, but I’m sure you can take advantage of it. There are some good step-by-step blog posts out there that show how to get the members of a SharePoint group and the SharePoint groups of a user, both of which can be very useful.

PATHEBEST15said

i know you posted it . it sounds clear to you but i wasn’t able to do it again i have a project like an inventory of users access and everyhting into a form but i just want to have the groups from active directory without adding them manually … your tutorial is amazing maybe too amazing i just want to have Display name of my group for each user from active directory i don’t know if it is more clear to you now or not .

Clayton Cobbsaid

I’m not sure it can work in 2003, but I know for sure it doesn’t work yet in 2010. The web service connects and all, but no data is returned. I don’t think it’s even related to InfoPath, because other methods of the same web service DO work. I think that groups just aren’t getting populated into the user profile database during the profile import, which would make it a SharePOint 2010 issue, not InfoPath. I’ve submitted this issue to the InfoPath team who hasn’t resolved it yet, and when I asked Microsoft on the forums, they came back and said it was a deep enough problem that it required me calling paid support. I was not willing to do that, because I think it’s a bug, so I’m waiting on the InfoPath team to get back with me.

In your case, when you say it isn’t working with InfoPath 2010, what version of SharePoint were you using?

CLUELESSsaid

I’m using MOSS 2007 … I tried with infopath 2003 which doesn’t have external sources and i tried with infopath 2010 as well and it did not work . Do you have any idea of an alternative solution even using coding to get active directory group a user can be member of.

Clayton Cobbsaid

Why can’t you use InfoPath 2007? If you’re using MOSS 2007, you should be using InfoPath 2007. It should work even if you use InfoPath 2010 to make a 2007 form. It only isn’t working for me in SharePoint 2010.

Clayton Cobbsaid

I don’t write any code, but even if I did, it wouldn’t make sense to write code when this is built-in functionality. Have you made sure that the profile import is running and populating the user profile database with groups?

Clayton Cobbsaid

That’s a ShareePoint Administrator task. If you aren’t the architect or administrator for this farm, then this part is a bit tough. It’s an architectural/infrastructure piece that has to be configured on the SSP admin site.

CLUELESSsaid

Clayton Cobbsaid

You have admin rights but don’t know how to do this? Is this just a development environment? It is dangerous to have farm admin rights without having any SharePoint administrator knowledge.

On the SSP admin site, you go to User Profiles and Properties, then you configure the profile import, and then you run the profile import. After it completes, you go configure search and do a full crawl followed by a scope update.

Clayton Cobbsaid

SharePoint is gigantic. It is not something you just go to a website and get a tutorial. If you do not own the test environment, I recommend not touching Central Admin. If you do own it and are the only one using it, then give it a shot, but I recommend getting some professional training and lots of support from your company’s SharePoint architect.

CLUELESSsaid

extraordinary it’s working thank you very much for the GREAT help it means a lot to me ! i really appreciated it. i will considere the advise for the training but it’s a test enviromnemnt and i will play around with it and see how to set up things …

CLUELESSsaid

hey clay how ya doing … thx again for your help now it works perfectlly but now i want to know if there is way to autopopulate group according to Contact selector directly not looking at the current credentials … And beside that thank you for the advise my company gonna pay for me the sharepoint training …

CLUELESSsaid

i have a form that i enter the name thru the contact selector … now i want to have the correct active directory group membership for the user i choose via Contact selector. because the tuto you posted give you back the current user active directory group that it belongs.

Clayton Cobbsaid

My tutorial shows how to retrieve ALL groups, but I don’t understand what you want to do exactly. How would you know the “correct” group out of all these groups? People have more than one group. My tutorials also show how to get this information for other users – the one that talks about getting user information without code.

Cluelesssaid

so from the user i can have his Name, phone ,accountid …. it is working fine

the thing that i want is when i choose the user from Contact Selector it gives me back the groups which the user is member of … I’m aware there is several groups a user can be member of in active directory

Clayton Cobbsaid

Ok, I understand that, but that is exactly what my blog shows how to do, which is why I’ve been confused. You’re asking me how to do what I show you in my blogs. Take the technique in my blog named “InfoPath – Get user information without writing code (extended)” and apply it to this one that shows how to get AD groups. You just take the AccountId value from the Contact Selector and use it to query the GetUserMemberships method of the UserProfileService.

CLUELESSsaid

Hi clay it’s me again i worked all day long on the infopath form i did your tutorials for Contact selector everything is working fine except the groups it keeps giving me the current user group it doesn’t look at contact selector how can i modify it for the specific active directory group … help i’m completly lost right now

Clayton Cobbsaid

You just have to follow my blog that I mentioned. If you keep getting only the groups of the current user, then you are not setting the query field of the User Profile Service data connection to the user in the AccountId field of the Contact Selector. My blog shows exactly how to do this except that with a Contact Selector, you can’t fire rules off the data fields. You have to create the rule on the non-repeating group that contains the Contact Selector fields. When a user is chosen in the Contact Selector, the rule will fire, which will set the accountName query field of the User Profile Service (GetUserMemberships), and then it will query (you set these actions). The query will retrieve the groups of the user specified in the AccountId field of the Contact Selector if you set it up to do so.

CLUELESSsaid

hey it’s me again i might change my name for annoying one ! I tried the all complete tutorial get user information ( extended) it’s working fine then I tried to re do it with my form i created a rule named rule1 and the rule is applied from gpContactSelector group refering to one of the 3 tutorials who recommended . As well i tried to retrieve the right Department but it returns blank

Clayton Cobbsaid

Yes, I have two blog articles on this topic, including the one where you wrote this comment. The actual User Roles functionality is not available in browser forms, so I have given some workaround techniques.

Katysaid

Thanks for your fast response, Clayton! I attempted the workaround… and applied it to an AD group and a SharePoint group… but the fields that I’ve locked down is still available to users who should not have permissions to it. I conditionally formatted it to say “DisplayName does not contain “FB InfoPath Admins” and to “hide this control” but it doesn’t work 😦 How should I go about debgging this issue? I’m working on InfoPath 2010 and SharePoint 2010… Thanks so much for your help!

Clayton Cobbsaid

By showing the values that you’re comparing on the form canvas while testing. If value1 does not match value2, then the conditional formatting should be applied. What you need to do is ensure you know what values are being compared by making them visible. A few notes: 1) My method doesn’t work with SharePoint Groups, only AD groups 2) You must have the User Profile Sync Service operational and have a full profile import that includes groups in the import

Katysaid

Thanks for the super fast replies! (I’m hoping to fix this asap as I have a deadline to meet!) I apologize but I’m kind of new when it comes to SharePoint and InfoPath… Where can I go to confirm that my User Profile Sync Service is operational.. and have a full profile import that includes groups in the import? o.0

Clayton Cobbsaid

Katy, this area is advanced architecture in SharePoint. If you aren’t the one building/administering the farm, then you’ll need to work with whoever is doing that. I am a SharePoint architect first who happens to specialize in InfoPath, but that means I do all of the architecture and building of the SharePoint farm before I ever get to the InfoPath pieces. I have spent a year learning and playing with SP2010, so it may depend on how experienced your folks are. SP2010 expertise is very rare, but it appears your company has already made the plunge, yah?

Katysaid

Thanks for getting back to me! I’ll reach out to my SharePoint support team and see what they can do… *crosses fingers* I hope they can get this resolved soon. And yes– we’ve already made the plunge! And I absolutely love SP2010! (Other than this issue I’m having with it, of course). Kudos to you on being such an expert! 🙂 Have a terrific weekend and Happy Friday the 13th!

Indrasaid

This is great article and its very informative and helpful, but i am facing a weird problem, i cannot see all security groups from multiple domains. We have cross domain authentication and SP web service cannot get users from another domain AD Sec Groups ( only few of them every Sec group have same permissions). I can see the full import can look at the sec group and i see a message that “spsimport: Crawled (The directory property cannot be found in the cache.)”, i am stuck, i need to switch views on AD groups.

Another one is i can use usergroups.asmx and get the SP groups but i think you mentioned some where about this problems but i am able to get that..

when i use sample data to get the data connection added, every time i load the form its hard coding the sample data user no matter what i do , if you can help me in that i can solve my problem.

Clayton Cobbsaid

Indra, to get groups from multiple domains, you’ll have to make sure all of those groups are being imported through the profile import, and you’ll have to configure the farm to accept users and groups into the profile import from multiple domains.

I don’t have a farm where I have to do that so I don’t have personal experience with doing it.

clueLE$$said

Debisaid

Ok- I am trying to get this to work and I have successfully made the data connection to GetCommonMemberships and pulled the repeating table onto a form – looks very similar to yours 🙂
In preview I get the Source Dropdown but it only includes distribution list and Sharepoint site. I was hoping for group membership from AD.
What and I missing here?
I do have syncronization of profiles successfully syncing to sharepoint.

Clayton Cobbsaid

Distribution Lists _are_ group memberships from AD. That’s exactly where they come from, and if they are showing up, then so would the AD Security Groups unless the user either doesn’t have any associated or the profile imported isn’t getting them.

Debisaid

When I “preview” in Infopath 2010 – the source dropdown defaults to “SharepointSite” and I do see the name of a site that I am a member of – nice but not what I want. If I change the Source to “DistributionList” is something supposed to change (cause it does not)

Debisaid

I followed your directions and now I have a form with all the fields showing – the “source” field on the form is a dropdown.

It is good to know that no one is getting this to work. I can quit trying things and getting frustrated.
Thanks for your quick response and your continued support of these products, you help me a great deal.

Nik Patelsaid

Clayton Cobbsaid

You should be able to, but it seems to be broken in 2010. Either the web service is broken, or the profile import is broken. I have a case open at Microsoft where an engineer is trying to figure it out. He already reproduced my issue and doesn’t yet know what is broken. I’m just waiting on him to finish…

Nik Patelsaid

Do User profile synchronization service application required for UserProfileService.asmx to be available in SharePoint 2010? I have a User Profile Service enabled. Would it be enough to use the UserProfileService.asmx in InfoPath?

Clayton Cobbsaid

Only AD has security groups, but yeah, the User Profile Database is not aware of SharePoint groups and does not store them. I wish it did. Interesting that it gets DLs but not SGs. I only care about SGs, since DLs can’t be used for permissions in SharePoint, however, if DLs are coming through, then that’s another piece of data that can help resolve the issue.

I have tried all the methods and because we have SharePoint Security Groups, this is only reliable method. I haven’t tested your contacts list method for InfoPath 2007 but will try it out and decide which one will work in our scenario..

Thanks..

Nik

Clayton Cobbsaid

Nik, thanks for your effort. Due to your comment, I went and created a regular DL in AD, ran an incremental profile sync, then tested my form again, and the group showed up! Both my SGs and DLs have email addresses and are Global, but only the DLs show up. I’m going to monitor the traffic with MIISCLIENT now to see if the DL shows up. I already know the SGs come through the MIISCLIENT with no Display Name, so I want to see if the DL behavior is different.

Thanks Clyaton for this thread. I had to chuckle when they asked you for the paid service. LOL..

Anyways, I will lookout for the possible resolution on this thread. Please update this blog if MS ever fix this issue in future patches.. User Profile Services and FIM has many issues. I really wish MS has gave us two profile sync options like two authentications (classic and claim) – one profile sync can be classic way like MOSS 2007 where you import only and other one with FIM to support both import/export. In that case, we wouldn’t have this issue at all..

Hi Clayton,
Thanks in advance for helping me.
I getting stuck in this article in the point I am going to copy downwards.
In my Info path form is there we want that forms has been submitted when we again open that form there is a field of user when the current user is same that form user then only form opens in submission mode else other wise it should open in read only mode.

I am sticking at this part of you document

* View this method’s node structure
* Drag the whole repeating group to the canvas and preview to see the result
* Reduce the table to the most useful fields and decide which ones you want to leverage
* Filter to show only the AD groups
* Create a drop down control bound to an element in your main data source that will show a selectable list of groups for a given user
* Use this information to apply conditional formatting on other controls

Clayton Cobbsaid

If you just need to compare the current user against a known user, then you would not use this article. This article is for determining if a user is part of an Active Directory group. All you need to do is create a field for storing the username of the person you want to compare, and then when the form loads, use a Form Load rule to compare the value in the field with the userName() function. If they are NOT equal, then switch the view to a Read-Only view. IF they ARE equal, then do nothing – let it open in edit mode. The key is determining who you want to put in “a field of user,” which is what you called it. I have some examples of this in my other blog regarding the User Profile Service.

I dont from where to get these information please help me to get out of this please.

#
Member Group – Source Reference: This shows the Organizational Unit path in Active Directory of the DistributionLists and shows a GUID for SharePointSites.
#
Display name: This is the Display Name of the group as defined in AD. In Outlook, this name can typically be used as an addressee for an email, and the name will resolve to the email address. This name SHOULD be unique and will be what we use for our User Role matching later. For SharePointSites, this is just the site name.

Clayton Cobbsaid

Ok, so when the form loads, compare the current user with the DO field – simple as that. In 2007, Form Load rules are in Tools > Form Options > Open & Save > Rules. In 2010, they are in File (Backstage) > Info> Advanced Form Options > Open & Save > Rules. You add a rule to switch the view ON THE CONDITION that DO is not equal to userName().

Clayton Cobbsaid

Ankit, I already told you how to do this for the DO user, but that has nothing to do with user permissions. I also already told you twice that there is nothing in InfoPath that can detect a user’s permissions. Why did you ask 4 times?

Clayton Cobbsaid

Srikant, can you clarify what you mean? You said “after submitting the form it is not showing the fields.” What is “it”? What is the thing that is not showing the fields, and how/why/where do you expect to see these fields? When publishing the form template, did you promote your fields so that they could be seen?

You also said, “It is showing the entire form in the email, any clues?” Ok, again, what is “it.” You can’t use pronouns without first saying what the pronoun is referring to. As for email, are you saying that you are only submitting to email? If so, why do you not expect the entire form? What did you expect? What clues do you need?

Anitasaid

Hi Clayton,
Here you have shown how you can apply security to certain sections in a Infopath form.
But what if I have to apply this kind of user role based security to filter out values in a dropdown.
is that possible?
Thanks,

Clayton Cobbsaid

If the dropdown is populated with items from SharePoint, then security trimming already applies. Users will only see items that they have permissions to in SharePoint. If the items come from somewhere else, then each row of data needs to have some way to associate itself with a given user. How do you know which users are allowed to see which items? What determines this?

Clayton Cobbsaid

That’s one way to do it that is guaranteed, but how are you currently deciding who can see what? If you don’t already have granular permissions on those items, then how are you doing it, or how did you plan to restrict data from certain users (before even thinking about InfoPath)? The other way would be to add a metadata field to that source list that stores group names, and then only show items to people who are in the groups associated with the items. This would require filtering on the data connection, though, which can only be done in Filler forms for 2007, but it can be done in browser forms for 2010.

Clayton Cobbsaid

Cliff, is that the URL to your content web application? If not, then you need to give it the right URL. You don’t give the machine name – you give the full URL to wherever your content site is. That may still be at the machine name path, but it doesn’t sound like you have a site there, and I’m not referring to Central Admin. You need to create a web application, then create a site collection, then browse to that site collection. Whatever the URL is you use to browse to that site is what you should put in for the UserProfileService data connection.

Karla Langhussaid

Thank you for taking the time to read this and helping people out. I too am a novice when it comes to InfoPath.. at least I think I am. I hope that you or others reading this might be able to help me out. I have an InfoPath 2007 web based form that has 6 views and has several data connections to include Getuserprofile database. I would like to have one of the views only be available to the “Manager” but not the user. The problem is that when the manager opens up the form , the form thinks that the current user is the manager. I saw that you posted a reply to another person that you can use “obscurity” by using a Form Load rules that checks the identity of the current user and if it’s not the current user, they don’t have access. I was thinking about using the same principle, as to see who the creator of the form was, if they were their supervisor (via GetUserProfile) then they would only see a view, and if they were not , then they would get an “unauthorized user” view. My problem is that I have no idea how to check the identity without code or with code …. I hope this made sense.. any help would be greatly appreciated.

Clayton Cobbsaid

Well, it depends on how you define your users. The first thing you should do is create a group of Submitter fields where you store the submitter’s username, account name email address, and full name using userName(), AccountName (from UserProfileService), WorkEmail (from UserProfileService), and PreferredName (from UserProfileService). You do this by setting the default values of those fields and setting those fields NOT to recalculate the formula – this causes them to be set initially when the form is first opened (this is the Submitter) and never set again. You will need this data later. Next, you create a set of CurrentUser fields just like the Submitter fields except these will get set using a Form Load rule with several actions to set those fields to the values of the current user. Store the same values as the Submitter. The reason you use a Form Load rule is so that it fires every time the form is opened so that you know who the current user is.

Once you have the above pieces setup, you can then add another Form Load (must come after the previous rule) that has a condition to compare the Submitter username with the CurrentUser username. If equal, then do nothing. If not equal, then switch views to the “Unauthorized User” view. In your case, you want to take it one step further with supervisor. This can be done dynamically AS LONG AS you know who each user’s supervisor is. If this value is set for everyone in Active Directory, and profile imports are being done regularly, then you can use this value in your forms. The field in AD is named “Manager,” and it’s the same property name in the User Profile Service. If you aren’t populating this value in AD, then you would need an external database or SharePoint list that defines the supervisor for every user – hopefully, you can’t rely on AD. So, you would add a Supervisor field to your group of Submitter fields for storing the Manager value of the Submitter when the form is first opened. Then, instead of comparing the CurrentUser with the Submitter, you would compare the CurrentUser to the Submitter Supervisor. Make sense?

Karla Langhussaid

THANK YOU SOOO much for the quick reply! Normally I would be very quick in figuring this out.. however I am 4 months pregnant and my brain isn’t working like it should be 🙂 All the blood that normally goes to my brain…well it’s making a life 😉 At least that is what I think the reason is I have gone absent minded 🙂

I totally understand what you are proposing.. and I want to see if it will work for my form. As it turns out in my form I do have a field for supervisor.. so we are good to go in that aspect.

Just to give you some background on the form, I do have a “Welcome” view that describes what the forms is and how to go about it. I figured I create a section called “Submitter information” , in there I have the fields for the submitter information (username, account name, e-mail address, full name) all being pulled from “GetUserProfile” data connection and they are not being recalculated.

The next step was to create a set of Current User field, but the information we would get from the form load rule.

This is were my brain just said “does not compute”.. for some reason I just can’t get my brain around it.

From what I gather is that I would create another section , below the submitter section in the welcome screen called ” Current User”, there I would have the currnet user fields ( Username, Account Name, E-mail Address, Full Name), so instead of clicking on the field itself , I would go to “Form Options”, “Open and Save”, “Rules”, and add my first rule, I called it “Current User”, there is not condition? (Right???), and the “Action” would be ” Set a field’s value” , select the field (Current User Account) and the value would be “CurrentUser”???

I just don’t know what the fields are for the currentuser?

I hope this made sense 🙂

Thanks again for your help!

Karla

Clayton Cobbsaid

Karla, you have to make the fields for CurrentUser. They will be a new group of fields in your main data source, and you will set them just like your Submitter fields except within the Form Load. Yes, there will be a condition, and the condition is that the form is not new. I always determine “new” by using the strFilename field from my Auto-Generating Filenames blog. If that field is not blank, then I know the form is not new..

Clayton Cobbsaid

Karla, you can have multiple submit data connections…it’s no problem. However, i dont recommend submitting to email for that purpose, because it sends the form. What you mentioned would be done with a simple workflow.

Karla Langhussaid

I really appreciate everything.. and I think this is my last question.. just curious for the Form Rules.. is there a limit? I really like the idea of having a view that has “unauthorized access”; however, each time I create that rule , as the last rule, each time I open any form , or a new one, I get that view “unauthorized access”?

For the Form Rules I have:

1. Current User (strFilename is not blank)
2. Compare users (submitter username = current Username)
3. Compare to Supervisor (currUserName = Manager)
4. Compare to Unauthorized (submitter username doesn’t equal Current User Name or Manager does not equal Current User)

If I take the last rule out everything works so far.. (still need to check on the supervisor view).. but the last rule just supersedes the rest.

Again, I really appreciate this 🙂

Thanks
Karla

Clayton Cobbsaid

Karla, rules always run in order top to bottom, so if that’s your last rule, then you would expect it to be the last thing that happens. This does not indicate a limit – it’s just logic. If you don’t want to be sent to that view, then make sure you don’t tell it to send you to that view. If you don’t want your rules to be evaluated if a previous condition was met, then you need to check the box that tells InfoPath to stop processing rules. Or, maybe your logic is wrong. It should be AND instead of OR.

I have a question that I would be grateful if you can give me any clue to solve it. I have a Browser-enabled info path form that has a section. This section needs to be hidden if the form is viewed by users who are not in an specific SP group. I have had a look at your post regarding the same problem however it was checking if the user is member of AD Group.

Is there anyway that I can check what SP group the user belongs to when he/she opens up the form without any coding.

Heather Z.said

Hi Clayton,
Thank you for this very helpful information on integrating the AD groups with the InfoPath forms, very useful! Quick question for you…..have you found any issues with integrating this into Optional Sections in a form? I had some optional sections and for some reason the user roles didn’t work for those….they really didn’t work until I removed the optional sections and then added them as sections instead. Just curious why I might have had this issue and if you knew why it might happen.

Clayton Cobbsaid

Why use optional sections? Are they “optional” based on the user’s identity, or are you saying they have two sets of logic – one determined by the user’s identity and one determined by the user’s decision to add the section? I don’t ever use optional sections, because I make them shown/hidden based on logic in the form or in the workflow status, so there may be an issue I’m not aware of.

Heather Z.said

Thanks Clayton. When I first started working on these forms months ago, I always used optional sections because I didn’t understand the difference between option and just regular sections. I am now going through and updating my forms so the optional sections are now just normal sections so I can get this to work for every section of the form. If that makes sense. 🙂 Thanks again!

Karensaid

Clayton, is it possible to use this concept outside of InfoPath? In other words, is it possible to apply this concept in a SharePoint (2007) list form (e.g. EditForm.aspx, etc.) using SharePoint Designer 2007? Thanks in advance!

Clayton Cobbsaid

It’s definitely not easily available in a regular list form. SPD does let you create DFWPs where you can do heavier customization, but it’s not like using InfoPath. You’ll need to create data sources first and then reference them in your custom list forms. I personally haven’t gotten the UserProfileService.asmx to work in an SPD data source the way it does in InfoPath.

Tracysaid

Hi Clayton – great post. I am a novice to Infopath, we have had to resort to the Qdabra solution as we were unable to retrieve from active directory I am trying to create a form that loads certain views depending on whether the current user is in a certain “group” , my question is I have set up 2 “load” action rules”

set a fields value – which looks at the logged in user name
Query using data connections to “getGroupsforUsers”

I am now not sure how or where to set the Load rule as these 2 rules have to run first to determine the user and the group, then I want to it to open a certain view depending on whether the user is in a certain “group”, how where do I acheive this?

Clayton Cobbsaid

You set these rules in the Form Load rules area. It’s a section in the Data ribbon. I use that exact Qdabra ADWS and that exact web method, so I know it works and works very well. You switch the view based on the same Form Load rule. You first retrieve the user’s groups using the getGroupsforUsers, and then you switch the view ON THE CONDITION that “any occurrence of Group is equal to .” I have this concept on my blog…the one you commented on. It’s the same concept but using a different web service.

Is there any way to overcome error 5566 in Infopath 2010 on browser enabled forms? If I open up my form with Infopath client the Content Selector works with usernames but Job Title, Department are not accessible on browser enabled forms if I am using secondary datasources (UserProfileService.asmx).
We have MOSS2007 and I save my forms as IP 2007 Web Browser Form Template to be able to publish to MOSS2007.
I guess it is a security issue on Sharepoint, but what and where needs to be checked?
Appreciate your help!

Clayton Cobbsaid

Sandor, it’s not just a random error. It is caused by very specific authentication issues or blockages in your environment. You have to find the actual issue by digging into the ULS logs. This always happens with browser forms, because browser forms are invoked by the web front end itself on your behalf, so it introduces authentication issues if your farm is not set up correctly.

Clayton Cobbsaid

Devia, you don’t need a web service to put conditional formatting on controls nor to switch views. You just have to decide what sort of data you want to use to make your logic decisions. You can base the decisions off data in a list, data in a database, data in an XML file, data in the form, or you can use the User Roles feature if you’re building Filler (client) forms.

deviasaid

The issue is, i am actually trying to restrict access to a view based on a SP group grp. We are not making use of InfoPath2010 filler instead we are using designer. Is there any other way besides the web service?

Clayton Cobbsaid

What do you mean using Designer and not Filler? The Designer is always used to design forms, but it isn’t used to fill in forms by the user. It’s either a Filler form (uses the InfoPath client) or a browser form (only used in the browser).

You can’t leverage SharePoint groups without using the UserGroup.asmx web service or using User Roles (requires Filler form; cannot be used in Browser forms). My article does not talk about SharePoint Groups though; it only talks about AD Security Groups. How are you expecting to leverage SharePoint Groups without touching a web service, and why can’t you use that web service?

deviasaid

The web service which i am using is getcommonmemberships as mentioend in ur article. However, when logging in as a “IT Support” in SP, he/she is allowed to only view the “IT Support View”. What is happening now is when if a user is not part of the “IT Support” SP group, an error is prompt and upon clicking “OK” the IT Support view is still visible despite of the user not being in the IT Support SP group.

And yes i am using browser forms and not filler forms.

Clayton Cobbsaid

Devia, you should have mentioned this information in your original comment, because asking if this can be done without the web service is not the root of your problem. Your problem is that your form logic just isn’t correct yet, and you need to track down the error. The error is telling you something, but maybe you didn’t read it? You should not just hit “ok” and continue. If an error occurs, then that means something is wrong. The rule is not firing to switch the view, and you need to fix that rule. Don’t just blow away everything without trying to fix the error first.

Also, these are NOT SharePoint Groups you’re working with. I clearly explain that in the article that these are Active Directory Security Groups. You have said multiple times now that you’re working with SP groups, but you’re not. These groups come from AD and are synced into the SharePoint profile database. The only other way to get AD group memberships is to build your own custom web service to retrieve them directly from AD.

Clayton Cobbsaid

Ok, then you have a problem connecting to the web service. You need to figure out why. This should have been the only thing discussed so far – it has taken far too long to get to the root of the real problem. You need to have whoever runs this farm troubleshoot it with you by reviewing the logs and finding the issue. If it only fails for certain people, then it’s specific to permissions for those people.

deviasaid

Dannysaid

This article is excellent, but I’m unable to actually see all the memberships of other users.

When I query the web service with another username it just returns the membership I have in common with them. Obviously this is quite a pain for testing purposes.

Is there a reason that I wouldn’t be able to see the memberships of other users? I’ve also tried this with the GetUserMemberships method but that returns nothing for other users. Is this a security restriction?

Clayton Cobbsaid

GetCommon does exactly that…it gets groups you have in common with specified user. GetUser is better, because it gets all memberships of the specified user. If you can see the common ones, then you shouldn’t get an empty data set for GetUser. Are you on 2007 or 2010? This doesn’t actually work in 2010 due to a bug that I have submitted and that is supposed to get fixed by this summer.

Dannysaid

I want to be able to see all the memberships for another user. So when I query GetCommonMemberships using somebody elses username the data returned is the memberships I share with them (which is expected).

When I query using GetUserMemberships using somebody elses username it returns nothing, which leads me to suspect that I do not have access to see other peoples memberships. I did not think this was an issue though but I obviously may be mistaken.

Clayton Cobbsaid

Can you see that person’s memberships if you go to his/her profile page in the MySites area? You shouldn’t be able to see common memberships if you can’t see their regular list of memberships. The list of common memberships would have the same restrictions. All of this does get driven by the Personalization Services Permissions in the SSP administration area. You have to make sure all users have rights to “Personal Features.”

Dannysaid

I can see a list of memberships on their mysite page. Thanks for this idea, I didn’t even think to use mysite as this is something that isn’t really used at this organisation.

So just to clarify, are the memberships listed on a user’s mysite what the GetUserMemberships WS would return? If that’s the case I can just check on mysite to make sure the correct membership is present.

Thanks again for taking the time to help me out! I really appreciate it.

Dannysaid

Sorry to bother you with this. Just wanted to say that I never got this to work.

In the Personalization Services Permissions users had access to ‘Personal Features’ and ‘Personal Site’ but the GetUserMemberships service would still not run for other users. After a little testing I found that giving ‘Manage Audiences’ access allowed it.

Is this not how it’s meant to work? I am a bit hesitant to give this access in our prod environment because I don’t really know what else it does.

Do you have any thoughts/advice to share on this?

Irhad Babicsaid

I know this may sound dumb, but I’m unable to create any custom groups in my main data connection. So I’m stuck here:”First, manually create all the fields and groups you see below (Fig 6)…” I’m using Sharepoint 2010 so I’m aware that I will have more problems with this as there are some changes in SP2010 that prevent using UserProfileService.

Irhad, are you trying to customize an InfoPath 2010 list form? If so, then you can’t create groups in the data structure and are bound by the normal list fields. If that’s not what you mean, then I need more clarification.

As for changes in SP2010, I’m not aware of any that prevent using the UserProfileService unless you’re referring to the issue where AD Security Groups no longer show up in the results of the GetUserMemberships method due to how they are stored in the profile database (this is being fixed in a CU, btw).

Irhad Babicsaid

Yes, this is list form. I have a really big form (dozens of views) implemented in a wizard like manner. Client needs to prevent non-Manager persons from filling out some of the views (actually they need the wizard to skip these views in that case). First I wanted to do this by using sharepoint groups, but I failed. Luckily, they have similar user groups on their domain controller so I wanted to try following this awesome article…

Yes, that’s what I thought. Sorry for my silly questions (I’m new in SP development, as you can see :)), but what’s CU?

Ok, so you won’t be able to use this method in 2010 for AD Security Groups, but you _CAN_ use it with AD Distribution Lists if they have a Managers DL already (or if they are willing to create one). You would then be able to reference that DL using my article to hide/avoid/skip certain views for non-Managers. A CU is a Cumulative Update, and it’s how Microsoft provides major updates every 2 months for SharePoint. This fix is supposed to be in the October CU and would cause AD Security Groups to start showing up when using my method.

Irhad Babicsaid

Thanks for clarification on CUs and thank you for your precise and clear answers.

Can you tell me which service should I use in case they’re willing to create distribution lists? And of course, as this is a list form, how can I follow your article for creating groups in my main data connection?

It’s the same for DLs as SGs – they show up when using this technique and this exact web method. You don’t have to do anything different. The reason I use SGs instead of DLs is because SGs can be used for permissions in SharePoint while DLs cannot, so DLs are not as efficient. However, they can still be used to meet the needs you’ve stated in this thread. I thought you said a Manager group already existed on the domain controller (Active Directory really). You can’t create groups in an InfoPath list form, but you shouldn’t need to. You can use sections, and the sections have to be bound to the existing group (the SharePointList_RW group) that holds all of your data elements. List forms are very restricted in terms of data structure. My technique in the article is intended for full library forms, but the concept in general can still be leveraged.

It’s the same for DLs as SGs – they show up when using this technique and this exact web method. You don’t have to do anything different. The reason I use SGs instead of DLs is because SGs can be used for permissions in SharePoint while DLs cannot, so DLs are not as efficient. However, they can still be used to meet the needs you’ve stated in this thread. I thought you said a Manager group already existed on the domain controller (Active Directory really). You can’t create groups in an InfoPath list form, but you shouldn’t need to. You can use sections, and the sections have to be bound to the existing group (the SharePointList_RW group) that holds all of your data elements. List forms are very restricted in terms of data structure. My technique in the article is intended for full library forms, but the concept in general can still be leveraged.

Irhad Babicsaid

Well great, I did not realize I can use SGs. That’s one thing We already told them to create, but I was afraid it’s gonna be in vain.

I will try with sections then

Yeah, they told us they’ve created several manager groups on AD, but I’d rather use Sharepoint Groups, as SGs will be used for some custom workflows as well. ATM I’m waiting for them to send me urls of their AD web services.

I’m gonna try this once more. Hope you don’t mind me bothering you again if I get stuck

I think you meant you didn’t realize you could use DLs? Anyway, you may be confusing some items here, so I want to clarify a few items:SharePoint Groups are not related to this at all. You can’t use SharePoint Groups at all in this scenario. The method for using SharePoint Groups to determine group membership is a completely different technique and different web service. It requires exploding the template and making internal modifications, and I haven’t tried that with list forms to make sure it worksUnless your IT team has actually CREATED custom AD web services, then you would not be asking them for URLs. You’re already using the UserProfileService.asmx web service to retrieve group membership from AD via the SharePoint User Profile Service. That is the web service you should be using if you’re using my article, and you already have the URL – it doesn’t come from IT.If you requested AD groups, then the key is whether they are SGs or DLs. The difference is simply a radio button, so one can be converted to the other easily with a button click. Just be sure the SGs are email-enabled, which is a key factor.

Robin Thakursaid

Hi Clayton, I’m an avid reader 🙂 I’m doing this on SharePoint 2010 with a customised infopath 2010 form and am looking to lock down the view based on whether a user is a member of an AD Security Group. When I drag the repeating table onto the form for MembershipData it only shows one group (A Sharepoint group) but on other users it shows more groups. What’s causing that? The account I’m using is detected properly and is a SharePoint Admin but is a member of loads of AD Security groups which are not shown. I am fairly sure that Groups are being synced by the UPS (the option is ticked in sync options to do both) and the containers for the groups are ticked in the Import Connection. Any assistance you can offer would be much appreciated.

Robin, this hasn’t worked in 2010 from the beginning. AD security groups do not show up in 2010 when using this method. I’ve been fighting to get it fixed since 2010. It’s an open ticket that Microsoft is working on directly in order to fix it.

Robin Thakursaid

Robin Thakursaid

Hey Clayton. Sorry, I did some more searching and came across the fact that this is a bug with Sharepoint 2010/Infopath 2010. Did you ever manage to get this resolved with MS? I guess we could use DL’s at a pinch but I’d really rather not, and we don’t have budget for QDABRA sadly.